Automation is really important in penetration testing engagements because it can help the penetration tester to save time and to give more attention to other activities.For that reason many pen testers are putting effort to build tools to assist them with a variety of tasks.Such a tool is the recon-ng which can perform web-based reconnaissance and it can be used in social engineering engagements or for extracting information that exists on the web.In this article we will examine how we can use the Recon-Ng framework to discover different type of information.

We can type help in the framework in order to see a list with all the available commands.

recon-ng – commands

We can see that there is a command named modules.We will type that command to check the existing modules that we can use.In the next image you can see a sample of the available modules.

recon-ng – sample of the available modules

There is a module called contacts_jigsaw.Jigsaw is a website similar to Linkedin that contains a large database of business contacts.So let’s say that we want to discover the contacts of a company that exists on jigsaw.We will load the module with the command load contacts_jigsaw and we will set the domain of our preference.

load jigsaw module

in the next image we can see a sample of the output:

recon-ng – Gathering Contacts

Now that we have some contacts we can try to use the Google module to discover additional domains of the same company.

discover hosts via google

In the image below we can see a sample of the results that recon-ng has produced.

Discovering subdomains with recon-ng

Recon-ng gives us also the ability to extract the results in CSV format or in an HTML file.

Save the results in HTML file

You can see in the next two images the output of the report:

recon-ng – Report

recon-ng report contacts

Conclusion

Recon-ng is a great framework that can help in the information gathering stage of a penetration test.This tool is really simple to use and it holds every result in its database for later use.The report that generates is well formatted and if in the future additional modules will added on the framework then it will included in every penetration tester toolkit.